16.10 - Using IP Access Restrictions - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K
  • If any IP filter rejects a user, the user logon fails, even if all other filters allow the user.
  • There is no limit to the number of IP restrictions concurrently in effect, but the database limits the size of the GDO that contains the limits to 128 KB, for both XML and directory implementations. If you plan IP restrictions carefully, the 128KB limit should be sufficient for most systems.
    • The GDO can contain dozens of filters and over 10,000 user names of 10 characters.
    • Companies with very large user bases can save GDO space by employing the directory-based implementation of IP restrictions and mapping multiple directory users to a smaller number of Teradata Database users that have the same access restrictions.
  • Only a single set of restrictions, either XML or directory based, can exist at a time.
  • To change the IP restrictions, revise the existing XML document or directory set up and then re-import the file into the GDO using the appropriate utility. The new restrictions overwrites the old GDO. See Editing or Disabling IP Restrictions.
  • You must perform a database restart to activate the initial IP restrictions. Subsequent changes to the restrictions do not require a restart. See the tpareset utility in Utilities.
  • Unity does not require a restart to see new or changed IP restrictions.
  • Use of some applications, for example, network address translation (NAT) devices or other middle ware, prevents the Gateway from seeing or restricting the user IP address. However, Unity passes IP addresses to the Teradata Gateway for enforcement
  • If you add or alter an IP restriction that denies access to the IP address through which the user is already logged on, the pre-existing user session remains connected. The Gateway denies the user access from that IP at the next logon, including a reconnect of the pre-existing session caused by a system restart.
  • You can create IP restrictions for either IPv4 or IPv6 formatted IP addresses.